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Amendments to the Claims : 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1 . (Currently Amended) A graphical user interface rendered on a display associated with 
fer an intrusion detection system, the graphical user interface comprising: 

a field that depicts a summary of anomalies identified as part of an event that is detected 
in a network, the summary indicating event severity details of the event; and 

an alert action region including a control to permit a user to snooze fiiture alerts related to 
the event in the summary for a period of time. 

2. (Currently Amended) The graphical user interface of claim 1 wherein the snooze 
control feature can be is selected based on event types and roles of hosts. 

3. (Currently Amended) The graphical user interface of claim 1 fiirther comprising: 

a control to allow a user to clear an alert if the alert appears on an ^ overview page that 
provides an operator with an aggregated view of network status . 

4. (Original) The graphical user interface of claim 3 wherein an event details region of 
the graphical user interface depicts anomalies that were used to classify the event. 

5. (Original) The graphical user interface of claim 1 wherein details of events include 
values of source, destination, and protocol that caused an event to be raised. 

6. (Original) The graphical user interface of claim 1 wherein event severity is coded by 
an indicia. 
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7. (Original) The graphical user interface of claim 1 wherein the interface includes a 
control to clear a selected alert. 

8. (Original) The graphical user interface of claim 1 wherein the interface includes a 
details control that allows a user to observe details about a selected anomaly. 

9. (Currently Amended) The graphical user interface of claim 1 wherein the details 
control presents a hst of IP addresses to which a the host attempted to connect to. 

10. (Currently Amended) A method comprises: 

providing an operator with a list of events identified by an intrusion detection system, 
within the list of events being information indicating event severity, with event severity 
determined for based on an even t, bv the event having a percentage relationship to an established 
threshold for issuing an event notification; and 

displaying the details of a selected one of the events to a use r; and 
providing on a graphical user interface a snooze control to allow a user to snooze ©an 
"snooz e " future alerts related to the selected event. 

11. (Currently Amended) The method of claim 10 the snooze control allows an event to 
be snoozed for a fixed period of time. 

12. (Currently Amended) The method of claim 10 wherein the snooze control is can b e 
for selected event types and roles. 



13. (Original) The method of claim 10 ftirther comprising: 
clearing a selected alert from the list of events. 
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14. (Currently Amended) The method of claim 13 further comprising: 
displaying e v e nt d e tails including anomalies that were used to classify the event. 

15. (Currently Amended) The method of claim 14 further comprising: 

displaying event details that indicate historically normal operating conditions of a host 
and current operating conditions of a host to allow the operator to take an appropriate action. 

16. (Original) The method of claim 15 wherein one of the operating conditions displayed 
is normal and current connection rates of the host. 

17. (Currently Amended) The method of claim 1 5 wherein the type of events include 
[["]] worm propagation, unauthorized access, denial of service attacks, and historical anomaly. 

18. (Original) The method of claim 10 further comprising: 

displaying event details including destination and source fields populated with IP 
addresses and role classification of the host in the network. 

19. (Original) The method of claim 10 further comprising: 
displaying actions taken by the operator for the particular event. 

20. (Currently Amended) The method of claim 10 further comprising: 
displaying network statistics associated with network flows ; and 

displaying a ranking of hosts in the network according to a network statistical measure. 

21 . (Currently Amended) The method of claim 20 40 wherein the network statistics are 
statistical measure is a number of bytes per second and packets per second of each type of 
protocol observed in the system. 
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22. (Currently Amended) A computer program product residing on a computer readable 
medium for producing a graphical user interface for an intrusion detection system, the computer 
program product comprising instructions for causing a computer to: 

render a graphical user interface on an output device, the graphical user interface 
comprising: 

a field that depicts a summary of anomalies identified as part of an event that is detected 
in a network, the summary indicating event severity details of the event; 

an alert action region including a control to permit a user to snooze fiiture alerts related to 
the event in the summary for a period of time. 

23. (Currently Amended) The computer program product of claim 22 wherein the snooze 
control f e atur e can b e selected based on event types and roles of hosts. 

24. (Currently Amended) The graphical user interface of claim 22 fiirther comprising 
instructions to render in the graphical user interface: 

a control to allow a user to clear an alert if the alert appears on an ^ overview page that 
provides an operator with an aggregated view of network status . 

25. (Original) The computer program product of claim 22 wherein an event details region 
of the graphical user interface depicts anomalies that were used to classify the event. 



